Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Username enumeration via different responses

Shahid | Last updated: Jul 08, 2020 01:47PM UTC

Hello just updated burp to v2020.6. I'm trying to complete this lap however not sure if lab is out of date of if new version of burp is not compatible? I've got to step 8 however in the results page, all the lengh results of payload have the same length of 2985. According to the lab there should be one different to the others but doesn't seem to be the case? I've checked payload type and its set for simple list and I can see the list of payloads its trying to attack with? Any ideas?

Ben, PortSwigger Agent | Last updated: Jul 08, 2020 05:54PM UTC

Hi Shahid, This lab seems to be functioning as expected. The one different response only has a slightly different length compared to the others (in my run through the length was 2987 compared to the others being of length 2985) - is it possible that you might have missed this in the results?

Shahid | Last updated: Jul 10, 2020 01:33PM UTC

Hello, I managed to get the username however on step 12 its not showing status 302. Can only see 200s. I know the username is different from what it was earlier in the week so obviously lab content has been updated. Please can this be checked because it could be a bug?

Shahid | Last updated: Jul 10, 2020 02:39PM UTC

Please can this be checked?

Ben, PortSwigger Agent | Last updated: Jul 13, 2020 08:31AM UTC

Hi, I have just run through this and was able to find a password returning the 302 status so the lab is working as expected. Each lab will expire after a certain period of inactivity or after a longer maximum period of time. For this lab the username and password combination will be randomly selected from those available so you really need to complete this activity in one sitting.

Carlos | Last updated: Oct 30, 2021 03:23AM UTC

I'm running into the same problem now. I am running Community Edition v2021.8.4 Build 9894 on Kali running on VirtualBox. I have screen prints and was hoping I could attach them. All Requests get a 200 with a length of 3006. I have Intercept off, FoxyProxy thru Burp on, sniper attack, Simple List. I tried logging into the site using app1 / harley and got 'Invalid username' (tested with username app1 (the number one) and appl (L) - neither worked

Carlos | Last updated: Oct 30, 2021 04:24PM UTC

I just updated to CE v2021.9 and it's now working (returning a different length for one of the usernames).

digitalempress | Last updated: Jul 15, 2022 04:50PM UTC

The password list for this lab does not work. I have ran it multiple times and get 200 status responses for each password option.

digitalempress | Last updated: Jul 15, 2022 07:39PM UTC

I lied. It works. I didn't have the username parameter selected when trying to find the password. My apologies <3

Alvin | Last updated: Mar 09, 2023 03:38AM UTC

Same here, I tried app1, or harley it is not working for me

Alvin | Last updated: Mar 09, 2023 03:40AM UTC

I tried every single username it says invalid username

Alvin | Last updated: Mar 09, 2023 03:42AM UTC

Each lab will expire after a certain period of inactivity or after a longer maximum period of time. For this lab the username and password combination will be randomly selected from those available so you really need to complete this activity in one sitting. This doesn't make sense to me.

Ben, PortSwigger Agent | Last updated: Mar 09, 2023 10:48AM UTC

Hi, Are you able to provide us with some details of the steps that you are taking to solve this lab? In addition to the above, are you using Burp Professional or Burp Community when you attempt the lab? With regards to my previous comment - the username/password combination will change in each lab instance (if you notice, when you launch a lab you will get a unique URL - this identifies a specific lab instance) so you cannot identify the correct username/password once and assume that these will still be the correct credentials when you come to use the lab again in future (this was in response to a previous comment by a user that stated that 'I know the username is different from what it was earlier in the week so obviously lab content has been updated').

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.